National Infrastructure Protection Center NIPC Daily Open Source Report for 11 December 2002
Daily Overview . CERT has announced Vulnerability Note VU#630355 - "Netscape and iPlanet Enterprise Servers fail to sanitize log files before they are displayed using the administration client." (See item 15) . Government Computer News reports the National Communications System is introducing its first cellular priority telephone service, available in New York by the end of the month and nationwide by next December. (See item 7) NIPC Daily Report Fast Jump [click to jump to section of interest] Power Banking & Finance Transportation Gas & Oil Telecommunications Food Water Chemical Emergency Law Enforcement Government Operations Information Technology Cyber Threats and Vulnerabilities Internet Alert Dashboard General NIPC Information Power Sector 1. December 10, Reuters - Looking at it this low, historically we have not been able to catch up to an average snow pack," Fox said. The largest dams are on the Columbia River and its tributaries in Washington and Oregon. Scott Pattee, Mount Vernon, Washington-based water supply specialist with the NRCS noted that snowpack in the basin is around 33 percent of normal at the upper end and as low as 20 percent elsewhere. He noted some key areas were faring even worse with the Yakima River basin only around 10 to 11 percent of normal. Fox said the situation is even more serious than the statistics suggest following months of dry weather. Marianne Hallet, an NRCS water supply specialist based in Davis, California, said the northern Sierra Nevada mountains in California were running at 45 percent of normal, the central region at 59 percent and southern section at 93 percent. Source: http://www.energycentral.com/sections/newsroom/nr_printer_friendly.cfm?i d=3509556 Current Electricity Sector Threat Alert Levels: Physical: ELEVATED, Cyber: ELEVATED Scale: Low, Guarded, Elevated, High, Severe [Source: ISAC for the Electricity Sector (ES-ISAC) - http://esisac.com] [return to top] Banking and Finance Sector 2. December 10, MSNBC - Elaborate credit card con still works. No one broke into Doug and Sandy Roth's tiny Seattle office. But somehow, criminals managed to impersonate the couple's Prosynergy Corp. well enough to convince Bank of America Merchant Services to ship some $52,000 in credit card credits to various bank accounts based in Spain. And the Roths knew nothing about it until Bank of America called a few days ago and handed them the bill. The simple but ingenious "credit-back" scheme essentially lets a criminal exploit a fundamental flaw in some credit card processors which allows consumers to buy merchandise with one credit card, then allows them to return the merchandise and receive a credit on a different card. So, for example, in some situations a consume can buy an item with an American Express card, then return it, and get the credit on their Visa card. Stealing money from a stolen credit card this way can be easy - the criminal uses a stolen credit card, buys a $100 item, then returns it, gets a $100 debit card credit, then withdraws that cash from an ATM. Source: http://www.msnbc.com/news/844216.asp [return to top] Transportation Sector 3. December 10, CNN - TSA says no major problem with hand-held wands. The Transportation Security Administration (TSA) denied Tuesday that it has major problems with a certain brand of hand-held metal detector in widespread use at airport security checkpoints. Troubles with the Garrett brand of wand commonly used by federal airport screeners were outlined in an e-mail sent last month to airport security directors by TSA official John Rooney. The TSA confirms he wrote, "I believe that we have a systemic problem on the reliability of the Garrett SuperWand." Federal screeners discovered that when the wand was turned upside down the unit's battery sometimes disconnected, causing a loss of power to the device. But TSA spokeswoman Heather Rosenker said only 79 wands were found to have the problem -- out of some 10,000 Garrett SuperWands the TSA uses. Rosenker said the problem involves the battery -- not the wand. "The battery cap is made so that when you used one type of battery (a Duracell 9-volt) rather than another (the EverReady Heavy Duty) ... the way it fits in that compartment there would not be a connection." Rosenker said federal airport security directors have been told to use the EverReady batteries in the wands. Tuesday, she said the TSA will decide whether to order new battery compartment doors, or to mandate that the larger battery be used in the wands. Source: http://www.cnn.com/2002/TRAVEL/12/10/defective.airport.wands/index.html 4. December 10, New York Times - New rule to limit boarding passes from gate. The Transportation Security Administration will require nearly all airline passengers to obtain boarding passes before they arrive at the security checkpoint rather than at the gate, the agency said today. The goal is to free workers to screen checked bags rather than screen passengers. Under the current system, travelers who are identified by a government-approved computer system are searched a second time, and more thoroughly, at the gate. Under the new system those more thorough searches will be carried out earlier, at the main screening point. Screeners need the boarding pass at the main screening point, rather than the gate, because the pass indicates whether travelers have been selected for more scrutiny. "We're going to reduce the hassle factor by reducing the amount of gate screening we are doing," said Michael Jackson, the deputy transportation secretary. Some travelers are selected at random for extra scrutiny; others because the government's computer program decides there is not enough information about them. In addition, some travelers are on a government watch list. Adm. James M. Loy, the under secretary of transportation for security, said some gate screening would continue to make sure that terrorists were not able to predict the challenges they would face. "We believe random gate screening is an imperative part of a continuous deterrent exercise," Admiral Loy said. Source: http://www.nytimes.com/2002/12/10/national/terror/10SECU.html [return to top] Gas and Oil Sector 5. December 10, The Virginian-Pilot - Firm wants emergency gas facility for peak use. Virginia Natural Gas (VNG) is building a temporary processing operation in Chesapeake for liquefied natural gas that would help meet peak heating demand on extra-cold days over the next three winters. VNG adds 6,000 to 7,000 customers each year and has to make sure it would have enough gas to serve those customers on the most frigid day ever experienced. The operation would store 50,000 gallons of liquid gas and convert it by heat into vapor to send through the distribution system. VNG has applied for a waiver of federal gas-pipeline safety standards for the project, specifically regarding the construct ion of two storage tanks. Source: http://www.pilotonline.com/business/bz1210gas.html 6. December 9, Petroleum Finance Week - Oil will dominate 2030's energy picture, but supply vulnerability grows. Global oil demand is expected to rise by about 1.6 percent per year, driven primarily by the transportation sector. OPEC producers will satiate most of that demand as output from North America and the North Sea declines. With production increasingly concentrated in a small number of countries, the vulnerability of importers to supply disruptions will only intensify. "Supply security has moved to the top of the energy policy agenda," the International Energy Agency's World Energy Outlook 2002 states. "The governments of oil- and gas-importing countries will need to take a more proactive role in dealing with the energy security risks inherent in fossil-fuel trade. They will need to pay more attention to maintaining the security of international sea-lanes and pipelines. And they will look anew at ways of diversifying their fuels as well as the geographic sources of those fuels." Source: http://www.oilandgasonline.com/content/news/article.asp?docid={C7D86D6A- 9EDC-43B7-AC83-6C33B6E10B25} [return to top] Telecommunications Sector 7. December 9, Government Computer News - NCS unveils priority cellular service. The National Communications System is introducing its first cellular priority telephone service, said Peter Fonash, chief of the NCS technology and programs division. The service will be available in New York by the end of the month and will be rolled out nationwide by next December, Fonash said at the E-Gov Homeland Security Conference in Washington. The service mirrors the Government Emergency Telecommunications Service, which gives 70,000 government users priority access to the nation's wireline telecom networks. The National Security Council mandated the wireless priority service in the wake of last year's terrorist attacks. As a stopgap measure, special phones were distributed for the Winter Olympics in Salt Lake City, giving priority access to the VoiceStream satellite service, and 5,000 phones have been distributed in Washington and New York. Source. http://www.gcn.com/vol1_no1/daily-updates/20605-1.html [return to top] Food Sector 8. December 10, Food Production Daily - Sausage casing technology break through. A collaborative effort between casings supplier Viskase and specialty chemical company Rhodia Food has resulted in NOJAX AL, a cellulose casing that effectively reduces the risk of listeria monocytogenes surface contamination in the production of hot dogs and other cooked sausage products. Developed in the U.S., the innovation involves the application of a natural antimicrobial system developed by Rhodia to a meat surface via the cellulose casing manufactured and marketed by Viskase as NOJAX AL. The technology has won a Generally Recognized as Safe endorsement from the United States Food and Drug Administration and is fully approved for use. According to the companies, after cooking and peeling away the casing, the resultant surface treatment on the hot dog or sausage demonstrates the definite killing of listeria within the first few hours of package life, thus providing an effective safeguard in the event of a post-processing contamination episode. Source: http://www.foodproductiondaily.com/news/news.asp?id=1842 9. December 9, Business Journal (Minneapolis) - Report says local chicken and turkey products contain antibiotic resistant bacteria. Brand-name chicken and turkey products sold in Minneapolis and St. Paul, Minnesota contain high levels of antibiotic-resistant bacteria, according to a study performed on behalf of the Sierra Club and the Minneapolis-based Institute for Agriculture and Trade Policy. The two groups said that tests showed that 95 percent of whole chickens sold in the area were contaminated with food poisoning caused by Campylobacter bacteria. Salmonella bacteria, which cause intestinal diseases, were found in 45 percent of ground turkey and 62 percent of those bacteria were resistant. Animals are routinely treated with antibiotics even if they are not sick. This practice creates new strains of bacteria that are resistant against the antibiotics commonly used to treat humans when they are infected by these bacteria. Source: http://twincities.bizjournals.com/twincities/stories/2002/12/09/daily9.h tml [return to top] Water Sector 10. December 10, Water Tech Online - Water Environment Federation offers second round of wastewater security training. The Water Environment Federation (WEF) is conducting a series of wastewater security training seminars that run through May. WEF said in a news release that the seminars are through a cooperative agreement with the United States Environmental Protection Agency, and will provide publicly owned treatment works with the necessary tools to initiate a vulnerability assessment and develop a security plan designed for each utility's specific needs. The seminars will help wastewater utilities evaluate and determine approaches for reducing their vulnerability to man-made threats and natural disasters, WEF said. Twelve workshops will focus on the VSAT wastewater, wastewater security training software developed by the Association of Metropolitan Sewerage Agencies in collaboration with PA Consulting Group and Scientech Inc. Source: http://www.watertechonline.com/news.asp?mode=4&N_ID=36682 [return to top] Chemical Sector Nothing to report. [return to top] Emergency Law Enforcement Sector 11. December 10, Washington Times - Fire fighting planes grounded for safety. A fleet of government planes used to battle wildfires has been grounded by the Bush administration after an independent study found lax inspections led to an "unacceptable" safety record. A blue-ribbon panel was convened by the Forest Service and Bureau of Land Management in August after two crashes - in which the wings came off of fixed-wing planes - killed five firefighters. Nineteen government-owned P-58 Barons and four Sherpa (Shorts 330) smokejumper aircraft were suspended from service because of concerns raised in the report. Additionally, the government will no longer hire independent contractors to fly C-130A or PB4-Y aircraft previously used as air tankers. Source: http://www.washingtontimes.com/national/20021210-73416861.htm [return to top] Government Operations Sector 12. December 10, Computerworld - White House official: CIOs key to homeland. Private-sector CIOs will play a key role in the work of the new U.S. Department of Homeland Security, according to Lee Holcomb, director of infrastructure for the White House Office of Homeland Security. Holcomb, who delivered the keynote address here today at the Homeland Security 2002 conference, heads the IT side of the effort to merge 22 federal agencies into the one new department. "The first thing we're doing with CIOs is trying to identify where are those common technologies and, where we can, seek enterprise licenses" so the department is using the same systems, he said. Holcomb and other federal CIOs involved in the creation of the Department of Homeland Security spent the summer consulting with companies such as Hewlett-Packard Co., Exxon Mobil Corp., Raytheon Co. and others that have recently merged with other companies and faced big IT integration projects. The things all of them put in place by Day 1 had to do with communication." Holcomb said his goal is to develop an "enterprise architecture" for the department, a continuation of work he did while serving as CIO at NASA from 1997 until earlier this year. Source: http://www.computerworld.com/governmenttopics/government/story/0,10801,7 6557,00.html [return to top] Information Technology Sector 13. December 5, Computerworld - Task force report looks at accuracy of Whois data. It's a question that continues to plague the Internet Corporation for Assigned Names and Numbers (ICANN), domain name registrars, the U.S. Congress, and myriad federal agencies: How best to ensure the accuracy of Whois data? Last week, the Domain Name Supporting Organization's (DNSO) Whois Task Force issued a report offering policy recommendations to ensure the accuracy of information contained in the Whois database, the directory that lists names and contact information of people who register domain names. Although the report addresses how best to rapidly correct data determined to be inaccurate after a complaint is lodged, it doesn't address proactive measures that could be used to screen out incorrect data during the registration process. That issue, according to Marilyn Cade, co-chair of the task force, is something that needs to be addressed, given the growth of "spoofed" Web sites that have been used to try and defraud people online. Source. http://www.computerworld.com/securitytopics/security/cybercrime/story/0, 10801,76439,00.html [return to top] Cyber Threats and Vulnerabilities 14. December 9, CERT/CC - Vulnerability Note VU#780737 -- Pine MUA contains buffer overflow in addr_list_string(). Pine is a mail user agent (MUA) written and distributed by the University of Washington. Some versions contain a buffer overflow vulnerability in email address handling. Versions of Pine prior to 4.50 contain a remotely exploitable buffer overflow in the addr_list_string() function. Due to incorrect calculation of string length in est_size(), a message From: header that contains a long string of escaped characters can cause a buffer being used by the addr_list_string() function to overflow. It is important to note that the From: header is under full control of the remote user sending mail and as such can contain any characters that they supply. An attacker can construct a message with a crafted From: header that will cause Pine to crash with a segmentation fault and possibly dump core. Source. http://www.kb.cert.org/vuls/id/780737 15. December 9, CERT/CC - Vulnerability Note VU#630355 -- Netscape and iPlanet Enterprise Servers fail to sanitize log files before they are displayed using the administration client. IPlanet Enterprise Server and Netscape Enterprise Server versions prior to 4.1. SP12 have a vulnerability involving the rendering of <DEFANGED_SCRIPT> tags embedded in the web logs when viewed through the administration client. Requests made to web servers are routinely logged by the web server to a log file, even if these requests are invalid or malicious in some way. Normally, this presents no security problems, and in fact allows administrators to record possible attacks against their system. However, in iPlanet Enterprise Server and Netscape Enterprise server versions prior to 4.1. SP12, these malicious log entries are not correctly sanitized before being viewed through the browser based administration client. This allows a remote attacker to embed malicious <DEFANGED_SCRIPT> tags in the URL of requests, which may be later executed by the administrator when reviewing the logs. When the malicious script embedded in the log files is viewed through the administration client, the administrator has already authenticated to the web server, and has additional privileges. Source. http://www.kb.cert.org/vuls/id/630355 Internet Alert Dashboard Current Alert Levels Internet Security Systems AlertCon: 1 out of 4 https://gtoc.iss.net/ Security Focus ThreatCon: 1 out of 4 http://analyzer.securityfocus.com Last Changed: 26 November 2002 Last Changed: 23 November 2002 Current Virus and Port Attacks Virus: #1 Virus in USA: PE_FUNLOVE.4099 Source: http://wtc.trendmicro.com/wtc/wmap.html, Trend World Micro Virus Tracking Center [Infected Computers, North America, Past 24 hours, #1 in United States] Top 10 Target Ports 137(netbios-ns); 80(http); 1433(ms-sql-s); 21(ftp); 25(smtp); 4662; 8080(webcache); 445(microsoft-ds); 139(netbios-ssn); 27374(asp) Source: http://isc.incidents.org/top10.html; Internet Storm Center [return to top] General Information 16. December 10, CNN - Iraq dossier hints at 'dirty bomb.' Iraq's declaration of its weapons programs could identify countries or firms that supplied its nuclear, chemical and biological weapons programs, according to a table of contents obtained Monday by CNN. In a letter that accompanies the nearly 12,000-page document, Foreign Minister Naji Sabri said the dossier's publication "entails risk" of releasing information that violates nonproliferation standards. Sabri called the report "currently accurate, full and complete," but told the U.N. Security Council it contains information that could aid countries seeking to develop nuclear, chemical or biological weapons. The nine-page preface to the report being circulated among council members Monday refers to a terminated "radiation bomb project" -- possibly a so-called radiological weapon, or "dirty bomb." The contents pages also include references to procurement of petrochemicals for Iraq's nuclear weapons program and to "foreign technical assistance" and "relations with companies, representatives and individuals" under its chemical weapons declaration. Diplomatic sources said Security Council members, including the United States, were concerned some of the information might serve as a "training manual" for stockpiling and hiding weapons, and they did not want it to fall into the wrong hands. Source: http://www.cnn.com/2002/US/12/09/sproject.irq.documents/index.html 17. December 9, Platts Energy News - U.K. officials confirmed intelligence that suggests North Korea obtained a large amount of 6000-grade aluminum from Pakistan, which purchased the material from other sources by violating Western country export control prior to shipping it to North Korea. In October, a few days after the U.S. announced the Democratic People's Republic of Korea (DPRK) had started a crash program to enrich uranium with centrifuges, Western officials told Nucleonics Week that enough aluminum to make several thousand rotor tubes was obtained by the SPRK for that program from Pakistan. They identified the material as so-called 6000-grade aluminum, which has a high tensile strength and has applications in centrifuge uranium enrichment applications. The Sunday Times newspaper reported on Dec 8 that the aluminum was manufactured and exported to Pakistan by an undisclosed UK firm. Source: http://www.platts.com/archives/94307.html 18. December 10, CNN - U.S.: Scuds found on ship off Yemen. Pentagon officials said Tuesday that U.S. military weapons specialists have found at least a dozen Scud missiles aboard a ship stopped en route from North Korea, several hundred miles off the coast southeast of Yemen in the Indian Ocean. Scuds are the type of ballistic missiles that Iraqi leader Saddam Hussein used to attack both Saudi Arabia and Israel during the Persian Gulf War. But U.S. officials said there is no indication the ship was headed to Iraq. They said there was every suggestion it was headed to the Horn of Africa. U.S. intelligence had been monitoring the ship since it left North Korea several days ago headed for the Arabian Sea region, officials said. Although the ship did not have a flag, the aide said its crew was North Korean. As to ownership or nationality of the ship, a senior official told CNN it appeared to be a "stateless vessel" and said there was not much in the way of official paperwork on the ship. News of the ship's interception came amid increased tension between the United States and North Korea. Source: http://www.cnn.com/2002/WORLD/asiapcf/east/12/10/ship.boarding/index.htm l 19. December 10, New York Times - Israel vaccinates soldiers and health workers. Israel has successfully vaccinated more than 15,000 soldiers and public health workers against smallpox on a voluntary basis since July with virtually no severe side effects, senior Israeli officials say. Israel uses the Lister vaccine strain, different from the strain used by the United States. Dr. Boaz Lev, the director general of Israel's Ministry of Health, said that Lister was less virulent than the American strain and has fewer side effects. Lev said Israeli doctors and health professionals had screened out those with health conditions that precluded safe inoculation, like pregnant women and people with ailments that suppress the immune system. Five percent of those vaccinated reported side effects like fevers, headaches, muscle pain, fatigue and weakness. Source: http://www.nytimes.com/2002/12/10/international/middleeast/10ISRA.html 20. December 10, Salt Lake Tribune (Utah) - Hospitals face medication shortages. At hospitals across the country, physicians, pharmacists, and nurses are coping with a potentially dangerous problem of medication shortages. About 80 percent of the shortages involve injected drugs difficult to manufacture because they must be sterile. Experts cite other factors as well. They include fewer drug companies making low-profit vaccines and medicines, sole manufacturers ending production, sudden spikes in demand, shortages of ingredients, and aging plants that no longer meet sterility standards being shut down at least temporarily. The problem is most critical at hospitals and nursing homes, where patients usually are very sick, said Mark Goldberger, the Food and Drug Administration's drug shortage coordinator. Source: http://www.sltrib.com/2002/Dec/12102002/business/business.asp [return to top] NIPC Products & Contact Information The National Infrastructure Protection Center (NIPC) serves as a national critical infrastructure threat assessment, warning, vulnerability, and law enforcement investigation and response entity. The NIPC provides timely warnings of international threats, comprehensive analysis and law enforcement investigation and response. The NIPC provides a range of bulletins and advisories of interest to information system security and professionals and those involved in protecting public and private infrastructures. By visiting the NIPC web-site (http://www.nipc.gov), one can quickly access any of the following NIPC products: 2002 NIPC Advisories - Advisories address significant threat or incident information that suggests a change in readiness posture, protective options and/or response. 2002 NIPC Alerts - Alerts address major threat or incident information addressing imminent or in-progress attacks targeting specific national networks or critical infrastructures. 2002 NIPC Information Bulletins - Information Bulletins communicate issues that pertain to the critical national infrastructure and are for informational purposes only. 2002 NIPC CyberNotes - CyberNotes is published to support security and information system professionals with timely information on cyber vulnerabilities, malicious scripts, information security trends, virus information, and other critical infrastructure-related best practices. 2002 NIPC Highlights - The NIPC Highlights are published on a monthly basis to inform policy and/or decision makers of current events, incidents, developments, and trends related to Critical Infrastructure Protection (CIP). Highlights seeks to provide policy and/or decision makers with value-added insight by synthesizing all source information to provide the most detailed, accurate, and timely reporting on potentially actionable CIP matters. -- This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. [ score: 1 ] 00026 Rewrote HTML tag: _SCRIPT_ as _DEFANGED_SCRIPT_ [ score: 2 ] 00027 Rewrote HTML tag: _SCRIPT_ as _DEFANGED_SCRIPT_ Anomy 0.0.0 : sanitizer.pl $Id: sanitizer.pl,v 1.34 2000/12/29 16:04:34 bre Exp $ IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk
